constellation/.github/workflows/build-os-image.yml

498 lines
25 KiB
YAML
Raw Normal View History

2022-10-19 07:10:15 -04:00
name: Build and Upload OS image
on:
workflow_dispatch:
inputs:
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
debug:
description: "Build debug image"
type: boolean
default: false
required: false
jobs:
build-dependencies:
name: "Build binaries for embedding in the OS"
runs-on: ubuntu-22.04
permissions:
contents: read
packages: read
2022-10-01 18:48:06 -04:00
outputs:
bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
2022-10-19 07:10:15 -04:00
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
2022-10-19 07:10:15 -04:00
- name: Build bootstrapper
if: ${{ inputs.debug == false }}
uses: ./.github/actions/build_bootstrapper
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build debugd
if: ${{ inputs.debug == true }}
uses: ./.github/actions/build_debugd
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build disk-mapper
uses: ./.github/actions/build_disk_mapper
with:
outputPath: ${{ github.workspace }}/build/disk-mapper
- name: Upload dependencies
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
2022-10-19 07:10:15 -04:00
with:
name: dependencies
path: |
${{ github.workspace }}/build/bootstrapper
${{ github.workspace }}/build/disk-mapper
- name: Collect hashes
2022-10-01 18:48:06 -04:00
id: collect-hashes
2022-10-19 07:10:15 -04:00
run: |
2022-10-01 18:48:06 -04:00
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
2022-10-19 07:10:15 -04:00
working-directory: ${{ github.workspace }}/build
make-os-image:
name: "Build OS using mkosi"
needs: build-dependencies
runs-on: ubuntu-22.04
2022-10-01 18:48:06 -04:00
# TODO: flatten outputs once possible
# https://github.com/community/community/discussions/17245
outputs:
2022-10-17 11:39:49 -04:00
image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
2022-10-17 11:39:49 -04:00
image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }}
2022-10-01 18:48:06 -04:00
image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
2022-10-19 07:10:15 -04:00
strategy:
matrix:
2022-10-17 11:39:49 -04:00
csp: [aws, azure, gcp, qemu]
2022-10-19 07:10:15 -04:00
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
2022-10-19 07:10:15 -04:00
- name: Download build dependencies
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
2022-10-19 07:10:15 -04:00
with:
name: dependencies
path: ${{ github.workspace }}/build
- name: Mark bootstrapper and disk-mapper as executable
run: |
chmod +x ${{ github.workspace }}/build/bootstrapper
chmod +x ${{ github.workspace }}/build/disk-mapper
- name: Setup mkosi
uses: ./.github/actions/setup_mkosi
with:
version: 1750fc261a071f39c54f8b64ce2424195f750ee0
- name: Prepare PKI for secure boot signing
shell: bash
run: |
ln -s pki_testing pki
echo "${DB_KEY}" > pki/db.key
working-directory: ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
env:
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
- name: Build
shell: bash
run: |
echo "::group::Build"
sudo make "${CSP}"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
env:
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
CSP: ${{ matrix.csp }}
2022-10-01 18:48:06 -04:00
- name: Collect hashes
id: collect-hashes
run: |
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
2022-10-01 18:48:06 -04:00
continue-on-error: true
2022-10-19 07:10:15 -04:00
- name: Upload raw OS image as artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
2022-10-19 07:10:15 -04:00
with:
name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
2022-10-19 07:10:15 -04:00
if: always()
continue-on-error: true
- name: Upload individual OS parts as artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
2022-10-19 07:10:15 -04:00
with:
name: parts-${{ matrix.csp }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
2022-10-19 07:10:15 -04:00
if: always()
continue-on-error: true
- name: Upload manifest as artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
2022-10-19 07:10:15 -04:00
with:
name: manifest-${{ matrix.csp }}
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
2022-10-19 07:10:15 -04:00
if: always()
continue-on-error: true
upload-os-image:
name: "Upload OS image to CSP"
needs: make-os-image
runs-on: ubuntu-22.04
2022-10-17 11:39:49 -04:00
permissions:
id-token: write
contents: read
2022-10-19 07:10:15 -04:00
strategy:
matrix:
2022-10-17 11:39:49 -04:00
csp: [aws, azure, gcp]
2022-10-19 07:10:15 -04:00
upload-variant: [""]
include:
- csp: azure
upload-variant: TrustedLaunch
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
2022-10-19 07:10:15 -04:00
- name: Download OS image artifact
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
2022-10-19 07:10:15 -04:00
with:
name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
2022-10-19 07:10:15 -04:00
- name: Install tools
shell: bash
run: |
echo "::group::Install tools"
sudo apt-get update
2022-10-17 11:39:49 -04:00
sudo apt-get install -y \
pigz \
qemu-utils \
python3-crc32c
2022-10-19 07:10:15 -04:00
echo "::endgroup::"
2022-10-17 11:39:49 -04:00
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
2022-10-17 11:39:49 -04:00
if: ${{ matrix.csp == 'aws' || matrix.csp == 'azure' }}
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
2022-10-19 07:10:15 -04:00
- name: Login to Azure
uses: ./.github/actions/azure_login
2022-10-19 07:10:15 -04:00
with:
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
2022-10-19 07:10:15 -04:00
- name: Login to GCP
uses: ./.github/actions/gcp_login
if: ${{ matrix.csp == 'gcp' }}
with:
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
- name: Prepare PKI for image upload
shell: bash
run: ln -s pki_testing pki
working-directory: ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
2022-10-17 11:39:49 -04:00
# Make sure to set valid names for AWS, Azure and GCP
2022-10-19 07:10:15 -04:00
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
#
# GCP
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
- name: Configure input variables
shell: bash
run: |
timestamp=${{ steps.version.outputs.timestamp }}
semver=${{ steps.version.outputs.semanticVersion }}
imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
2022-10-17 11:39:49 -04:00
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
# TODO: set default security type to "ConfidentialVM" once replication is possible
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
AZURE_SECURITY_TYPE=ConfidentialVMSupported
fi
echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
2022-10-17 11:39:49 -04:00
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=constellation
echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
2022-10-17 11:39:49 -04:00
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${semver}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Debug
else
2022-10-17 11:39:49 -04:00
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Testing
fi
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
else
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
2022-10-19 07:10:15 -04:00
fi
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
- name: Download VMGS blob
2022-10-17 11:39:49 -04:00
run: |
aws s3 cp \
--region ${AWS_REGION} \
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress
working-directory: ${{ github.workspace }}/image
2022-10-17 11:39:49 -04:00
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
- name: Upload AWS image
shell: bash
run: |
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'aws' }}
2022-10-19 07:10:15 -04:00
- name: Upload GCP image
shell: bash
run: |
echo "::group::Upload GCP image"
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
upload/upload_gcp.sh
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
if: ${{ matrix.csp == 'gcp' }}
- name: Upload Azure image
shell: bash
run: |
echo "::group::Upload Azure image"
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
2022-10-19 07:10:15 -04:00
if: ${{ matrix.csp == 'azure' }}
2022-10-18 10:23:00 -04:00
calculate-pcrs:
name: "Calculate PCRs"
needs: [make-os-image]
runs-on: ubuntu-22.04
strategy:
matrix:
2022-10-17 11:39:49 -04:00
csp: [aws, azure, gcp, qemu]
2022-10-18 10:23:00 -04:00
steps:
- name: Checkout repository
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
2022-10-18 10:23:00 -04:00
- name: Download OS image artifact
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
2022-10-18 10:23:00 -04:00
with:
name: image-${{ matrix.csp }}
- name: Install dependencies
run: |
echo "::group::Install dependencies"
python -m pip install --user lief==0.12.2
sudo apt-get update
sudo apt-get install -y systemd-container # for systemd-dissect
echo "::endgroup::"
- name: Calculate expected PCRs
run: |
echo "::group::Calculate expected PCRs"
2022-10-12 09:13:33 -04:00
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY
./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} >> $GITHUB_STEP_SUMMARY
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY
cp pcr-stable.json ${{ github.workspace }}/
jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
2022-10-18 10:23:00 -04:00
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/measured-boot
2022-10-18 10:23:00 -04:00
- name: Upload expected PCRs as artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
2022-10-18 10:23:00 -04:00
with:
name: pcrs
path: pcrs-${{ matrix.csp }}.json
2022-10-19 07:10:15 -04:00
generate-sbom:
name: "Generate SBOM"
2022-10-01 18:48:06 -04:00
needs: [build-dependencies, make-os-image]
2022-10-19 07:10:15 -04:00
runs-on: ubuntu-22.04
steps:
- name: Install squashfs tools
run: |
echo "::group::Install squashfs tools"
sudo apt-get update
sudo apt-get install -y squashfs-tools
echo "::endgroup::"
- name: Download rootfs
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
2022-10-19 07:10:15 -04:00
with:
# downloading / using only the QEMU rootfs is fine
# since the images only differ in the ESP partition
name: parts-qemu
- name: Unpack squashfs
run: |
echo "::group::Unpack squashfs"
unsquashfs -user-xattrs -d image.root.tree image.root.raw
echo "::endgroup::"
- uses: anchore/sbom-action@b5042e9d19d8b32849779bfe17673ff84aec702d # tag=v0.12.0
2022-10-19 07:10:15 -04:00
with:
path: image.root.tree
artifact-name: sbom.spdx.json
format: spdx-json
- uses: anchore/sbom-action@b5042e9d19d8b32849779bfe17673ff84aec702d # tag=v0.12.0
2022-10-19 07:10:15 -04:00
with:
path: image.root.tree
artifact-name: sbom.cyclonedx.json
format: cyclonedx-json
- uses: anchore/sbom-action@b5042e9d19d8b32849779bfe17673ff84aec702d # tag=v0.12.0
2022-10-19 07:10:15 -04:00
with:
path: image.root.tree
artifact-name: sbom.syft.json
format: syft-json
2022-10-01 18:48:06 -04:00
- name: Combine hashes
run: |
cat > SHA256SUMS <<EOF
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
2022-10-17 11:39:49 -04:00
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
2022-10-01 18:48:06 -04:00
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
EOF
cat SHA256SUMS
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> $GITHUB_STEP_SUMMARY